Bug 2005997
| Summary: | SELinux domain container_logreader_t does not have a policy to follow sym links for log files | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Todd Johnson <toddjohn> |
| Component: | Containers | Assignee: | Jindrich Novy <jnovy> |
| Status: | CLOSED ERRATA | QA Contact: | pmali |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 4.7 | CC: | aos-bugs, dwalsh, jnovy, miabbott, novyjindrich, tsweeney |
| Target Milestone: | --- | ||
| Target Release: | 4.10.0 | ||
| Hardware: | noarch | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | container-selinux-2.169.0-1.el9 | Doc Type: | Bug Fix |
| Doc Text: |
Cause: missing allow rules in policy
Consequence: /var/log/containers log files unreadable
Fix: https://github.com/containers/container-selinux/releases/tag/v2.169.0
Result: fixed
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-03-10 16:12:09 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
@dwalsh can you take a look at this and assign it to yourself, please? The Bugzilla system isn't letting me change assignees at the moment. We only rebase for EUS releases, and only if it is definitely a show stopper, IE No workaround. This is the type enforcement file I created to work around the problem:
module logreader-links 1.0;
require {
type container_logreader_t;
class lnk_file getattr;
class lnk_file read;
attribute logfile;
}
#============= container_logreader_t ==============
allow container_logreader_t logfile : lnk_file {getattr read};
From what I can tell, the fix is included the the el9 RPM. Since this fix is important for logging agent pods, will this fix be back ported to existing RHEL/RH Coreos versions that are used for openshift worker nodes? Todd, Unless this is a blocker, I don't believe this will be backported to RH Coreos. However @miabbott would have the definitive answer there. (In reply to Tom Sweeney from comment #17) > Todd, > > Unless this is a blocker, I don't believe this will be backported to RH > Coreos. However @miabbott would have the definitive answer there. Based on the private comments on this BZ, there are no plans to backport this into RHEL 8.4, so it is not likely to land in any existing RHCOS/OCP releases. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:0056 |
Description of problem: A container using the SELinux domain of container_logreader_t to read container logs on the host at /var/log cannot access the logs from /var/log/containers since those logs are a symbolic link to /var/log/pods. All other log files in /var/log are accessible just not ones that are symlinks. Version-Release number of selected component (if applicable): 4.7, 4.8 openshift rhel 7.9 and 8.x How reproducible: Create a container with a host path to /var/log/. Set the security context to use selinux options type of container_logreader_t. Actual results: From within the container, try to read from a log file at /var/log/containers. You'll get a permission denied message, for example: ls: cannot access 'prometheus-adapter-7ff45fb5d7-djj4c_openshift-monitoring_prometheus-adapter-52a62260297bdc91c64301f1b254d761f31c2c920946091df9219452d229ab72.log': Permission denied The AVC error shows the following: time->Mon Sep 20 10:00:58 2021 type=PROCTITLE msg=audit(1632150058.037:5751017): proctitle=6C73002D2D636F6C6F723D6175746F type=SYSCALL msg=audit(1632150058.037:5751017): arch=c000003e syscall=6 success=no exit=-13 a0=7ffdfac56590 a1=564d17852a70 a2=564d17852a70 a3=0 items=0 ppid=32510 pid=33015 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid= egid=0 sgid=0 fsgid=0 tty=pts0 ses=4294967295 comm="ls" exe="/bin/ls" subj=system_u:system_r:container_logreader_t:s0:c152,c493 key=(null) type=AVC msg=audit(1632150058.037:5751017): avc: denied { getattr } for pid=33015 comm="ls" path="/var/log/containers/prometheus-adapter-7ff45fb5d7-djj4c_openshift-monitoring_prometheus-adapter-52a62260297bdc91c64301f1b54d761f31c2c920946091df9219452d229ab72.log" dev="vda2" ino=3016396 scontext=system_u:system_r:container_logreader_t:s0:c152,c493 tcontext=system_u:object_r:var_log_t:s0 tclass=lnk_file permissive=0 sh-4.2# ls -la /var/log/containers/prom* [1] 120154 sh-4.2# lrwxrwxrwx. 1 root root 132 Sep 20 07:08 /var/log/containers/prometheus-adapter-7ff45fb5d7-djj4c_openshift-monitoring_prometheus-adapter-52a62260297bdc91c64301f1b254d761f31c2c920946091df9219452d229ab72.log -> /var/log/pods/openshift-monitoring_prometheus-adapter-7ff45fb5d7-djj4c_52b6ed3d-3900-4e1d-bf5b-e5ee7f9f4c08/prometheus-adapter/0.log I can read the log file from /var/log/pods just not via the symlink. Expected results: Log files should be readable via a symlink. Additional info: On my RHEL 7.9 host: sh-4.2# rpm -q container-selinux container-selinux-2.119.2-1.911c772.el7_8.noarch I have the same problem on my 8.4 host which uses: sh-4.4# rpm -q container-selinux container-selinux-2.162.0-1.module+el8.4.0+11311+9da8acfb.noarch On my 7.9 host, I used allow2audit (twice) to generate the following policy: #============= container_logreader_t ============== allow container_logreader_t var_log_t:lnk_file getattr allow container_logreader_t var_log_t:lnk_file read; Then it worked fine.